The Cursed Murderer
The Cursed Murderer is a ransomware that runs on Microsoft Windows. It was first dicovered by Jirehlov. It is aimed at English-speaking users. It was made back in 2018 but was released into the wild in 2020. Payload Transmission The Cursed Murderer is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious ads, web injects, fake updates, repackaged and infected installers. Infection During the encryption process, all affected files are appended with the ".aes" extension. For example, a file originally titled "1.jpg" would appear as "1.jpg.aes" - following encryption. After this process is finished, a text file - "instructions.txt" is dropped onto the desktop, the wallpaper of which is also changed. The wallpaper is from Sword Art Online. Text presented in The Cursed Murderer's wallpaper: ERR0R, ALL YOUR FILES ARE ENCRYPTED... please follow the instructions on the Desktop (instructions.txt) The text file contains the ransom note, which states that all of the victims' data has been encrypted. The message warns that under no circumstance should users "try anything", likely implying that they must not modify the encrypted files, attempt manual decryption and similar course of action. To recover their data, victims are informed that they must pay 100 USD in Bitcoin cryptocurrency. This sum is to be paid within a specific amount of time, which is stated in the note. It also instructs users to send proof of the payment and all the associated transaction details, as well as the unique ID listed in the message - to the cyber criminals' email address. Once this is done, victims are promised to receive an archived file (ZIP), within which they will find the decryption tools/keys and instructions detailing how to use them. The message ends with a threat, warning users that should they fail to pay the ransom - their address (most likely, the IP address) will be publicized on darknet forums; hence, it will be exposed to other cyber criminals. Unfortunately, in most cases of ransomware infections, decryption is impossible - without the interference of the individuals responsible. It might be viable, if the malware in question has flaws (bugs) and/or is still in development. Regardless, it is expressly advised against meeting the ransom demands. Since often, despite paying - victims do not receive the tools necessary to decrypt their files. Therefore, their data remain encrypted and they experience financial losses. Text presented in The Cursed Murderer ransomware's text file ("instructions.txt"): All your file are encrypted. DONT'T TRY ANYTHING. You must paid me 100$ to this bitcoin address : 12DxeuYEpeLwrU3KnKZNzB6hmeBu1dE2bC. You have 7 days (17 (minutes) : 10 (hours) : 10 (days) max). As soon as you pay you just have to send an email to this address : iknowyouandiseeyou@protonmail.ch with a proof of payment, the code and this id : 16514 and I will send you a zip file containing the key, the instructions and the deciphering file. If you do not pay in revenche, I will be forced to send your address on darknet forums. The Cursed Murderer. Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan